Forgot your password?
typodupeerror
Security Communications Handhelds Hardware

New Nokia Smartphones Leak E-mail Passwords 94

Posted by ScuttleMonkey
from the lazy-engineers dept.
Noksu writes "Despite of the recent plunge in Nokia's profits, the company is doing well in the surveillance business. The infamous 'Lex Nokia' got ratified in Finland and the company has launched a massive Nokoscope research project for data gathering. In the meantime Nokia's new smartphones forward e-mail account credentials to a remote server. Surprisingly enough, this is done in HTTP request headers. The company has been informed, but there has not been an official statement yet. Time for class action suit in the US?"
This discussion has been archived. No new comments can be posted.

New Nokia Smartphones Leak E-mail Passwords

Comments Filter:
  • Solution: (Score:5, Funny)

    by forkazoo (138186) <.moc.liamg. .ta. .snarcesorw.> on Friday April 17, 2009 @02:40PM (#27617813) Homepage

    Don't use 'GET /', 'HTTP/1.0', or 'user-agent' as your password, and you will be much less likely to have your password submitted automatically by an HTTP client program.

    • Re:Solution: (Score:5, Informative)

      by 0100010001010011 (652467) on Friday April 17, 2009 @02:55PM (#27618081)

      Hell, what if you use a ?, & or a # in your password? Something tells me they probably didn't do a url encode.

      Although you could have some fun with dumb snoopers out there.

      Just make your password:

      https://ccds.serviceactivation.ext.nokia.com:443/api/v1/rest/?operation=ccds.provider.determineAccount&applicationCode=email&
      address=test.user@mycompany.com&password=topsecret&
      mcc=244&mnc=91&carrier=sonera

      So the request would be:
      https://ccds.serviceactivation.ext.nokia.com:443/api/v1/rest/?operation=ccds.provider.determineAccount&applicationCode=email&
      address=test.user@mycompany.com&password=https://ccds.serviceactivation.ext.nokia.com:443/api/v1/rest/?operation=ccds.provider.determineAccount&applicationCode=email&
      address=test.user@mycompany.com&password=topsecret&
      mcc=244&mnc=91&carrier=sonera&
      mcc=244&mnc=91&carrier=sonera

    • Re:Solution: (Score:4, Insightful)

      by tritonman (998572) on Friday April 17, 2009 @02:59PM (#27618165)
      After reading the article, it doesn't seem that it uses the HTTP headers, it appears to use actual URL parameters, which is probably 100x worse. Either way, if it sends plain text passwords, that's just idiotic.
      • by X0563511 (793323)

        If it's HTTPS, those URL parameters are not transmitted in the clear.

        Or am I horribly mistaken? I hope not. Please let me be right?

      • Re: (Score:1, Interesting)

        by Anonymous Coward

        just like when you login to slashdot or almost any other site that requires a login. Yep, your password is sent as an unencrypted URL parameter.

        But it's an unencrypted password sent over an encrypted HTTPS channel (usually, hopefully), so it's not really "plain text".

        Neither is worse nor better: headers, or URL parameters. Server code can just as easily read headers as it can URL params and save them to a database or whatever it wants. And so could a sniffer if it's not HTTPS.

        You're basically saying that ne

    • by Vexorian (959249)
      what? bastard hacker! don't publish my passwords!
  • Response from Nokia (Score:5, Interesting)

    by GuldKalle (1065310) on Friday April 17, 2009 @02:44PM (#27617891)

    Nokias response [blogspot.com]

  • Non-issue? (Score:4, Informative)

    by TrebleJunkie (208060) <ezahurak@atl a n t i c b b . net> on Friday April 17, 2009 @02:48PM (#27617967) Homepage Journal

    This isn't really an issue, is it?

    Yes, it sends credentials through to Nokia, but it does _not_ use an un-encrypted HTTP connection to do it. It uses SSL/HTTPS. It's also _not_ done in HTTP Header messages, it's going through in the GET request.

    *shrug*

    • Re:Non-issue? (Score:5, Insightful)

      by Nos. (179609) <andrew@theker r s . ca> on Friday April 17, 2009 @02:53PM (#27618055) Homepage

      I guess Nokia getting your email account credentials isn't an issue for you.

      • Re:Non-issue? (Score:5, Insightful)

        by InsertWittyNameHere (1438813) on Friday April 17, 2009 @02:59PM (#27618161)

        If you setup an email on your Blackberry with BIS (not BES) then RIM has your credentials.

        Why is it an issue now with only Nokia?

        • Re: (Score:1, Informative)

          by Anonymous Coward

          Exactly..

          Nokia system works the same way - you create a master account at Nokia, which holds your credentials for other email accounts.

          Mobile email client then talks to Nokia servers who talk to all of your mailboxes.

          This article is not news.

          • Re:Non-issue? (Score:5, Informative)

            by digitalchinky (650880) <dtchky@gmail.com> on Friday April 17, 2009 @06:18PM (#27620935)

            This article is news, you are having comprehension issues. The article writer is not using or wanting a proxy to handle email.

            The short version, since you missed it.

            * Built in mail client set up wizard = spyware (And since there is no other method to create an account, how do you propose one avoid it?)

            When I set up thunderbird to talk to MY imap/pop server, I don't expect it to go off and give my authentication details to Mozilla.
            When I set up my phone in exactly the same way, I don't expect it to hand out my authentication info to Nokia.

            Thunderbird doesn't do this. Nokia does. How is that not news? The system you are talking about is entirely different to the one the author is describing.

            • Re:Non-issue? (Score:4, Interesting)

              by Anonymous Coward on Friday April 17, 2009 @10:25PM (#27623079)

              I know very well how Nokia Messaging works because I use it. This is their new email client that is now being shipped on recent higher-end phone(s), or that can be downloaded/installed on older models. It is made to compete with Blackberry services which work the same way.

              You can complete its setup over the web - you go to http://email.nokia.com/ [nokia.com] enter IMAP/POP server name/username/password and add up to 10 accounts to your main Nokia account.

              Alternatively, you can do these steps on the phone itself, which is what the OP described.

              You then run Nokia Messaging on your phone, enter your master credentials and have access to all of your accounts.

              This is how this service is designed. You may think it's not prudent to give Nokia your credentials, but this is how this service is designed and there are reasons for doing it this way.

              Claiming there is some conspiracy is silly.

            • by dissy (172727)

              It's called buying the right device for your needs.

              You don't go out and buy a hammer and complain it doesn't work well removing screws.

              If you want a device to check your email directly, then you should probably buy a device that can check your email directly.

              These devices do not work that way, so sound like the wrong choice if that is what you need.

              There are plenty of devices on the market that can check email directly and don't require their own server component in between. This person should be looking a

        • by Nos. (179609)

          I've never used BIS (or BES) so I'm not sure. But why would any email client need to pass the credentials it has to a third party to connect to a POP/IMAP server? If RIM is doing the same thing, then they should be called on it as well.

          This is no different than if Outlook sent your credentials to MS, or Thunderbird sent them to Mozilla.

          • Re:Non-issue? (Score:5, Informative)

            by InsertWittyNameHere (1438813) on Friday April 17, 2009 @03:17PM (#27618469)

            Basically their (RIM, etc) server will check for email, download it, compress it, then push it to your device.

            So if you have 10 email accounts rather than your device constantly checking each one, wasting data and battery life, the server does all that work and you get push email functionality.

          • by h4rr4r (612664)

            They do it because the blackberry has no real mail client. It is all done via some mess involving RIMs servers to get your mail for you.

            This is because the kind of people who use these devices have no idea how any of it works, they think it is all magic.

          • Re:Non-issue? (Score:5, Informative)

            by Sethb (9355) <bokelman@gmail.com> on Friday April 17, 2009 @03:28PM (#27618651) Homepage
            This is the way BIS works. The reason you get great battery life out of a Blackberry is that RIM's server is hitting your POP/IMAP server and checking for mail, then it just pushes it to your Blackberry as needed. Compared to running a Windows Mobile phone with your IMAP connection being live all day, the battery & traffic savings are enormous. The downside is that you have to share your username & password with RIM, unless you're using BES, which is what enterprises who worry about giving out their passwords do...
            • by ivucica (1001089)

              I have no info about BIS and I never used BlackBerry, but it sounds similar to what I observed Opera Mini doing.

              However, doesn't IMAP already "push" you information when you get new email into your inbox? And, how is it possible for the device to get the mail if it doesn't keep an open connection to the server? The only other way is polling... and that's not push mail, that's standard POP mail.

              I honestly don't know what could be so different about BIS.

              So, please tell me: what's so different compared to IMAP

          • by Nos. (179609)

            Ahh, didn't realize that this is how RIM's "push" email worked. Even still, according to the articles on the blog, this is not Nokia's Messaging server, just their basic POP/IMAP client. So again, Nokia shouldn't need it.

        • Re: (Score:3, Interesting)

          by causality (777677)

          If you setup an email on your Blackberry with BIS (not BES) then RIM has your credentials.

          Why is it an issue now with only Nokia?

          That's a good question. I'll give you my best guess at an answer, though a guess is all that it is.

          I should say up front that I don't know very much at all about Blackberries. I will assume that what you said is correct, that a Blackberry with BIS presents the very same privacy issue because it shares username/password credentials with a third party. Thus, the privacy issues posed by predecessors like the Blackberry can be viewed as a mistake or at least as less-than-optimal. If it's a mistake, then

          • It was more of a rhetorical question.

            • by causality (777677)

              It was more of a rhetorical question.

              You may have intended it that way, yes. That's the funny thing about posting in public forums -- people may respond in all sorts of ways, even those you did not intend! Okay, I'm being facetious. Seriously though, rhetorical questions are much more effective when the answer is obvious or assumed. They tend to fall apart when there are multiple answers and multiple viewpoints from which those answers can come.

              I'm responding this way because you're frankly coming across as rather smug. It's as though

          • Re: (Score:3, Interesting)

            by Binestar (28861)
            The thing I don't understand is why anyone would ever design the system in such a way that a third party needs to be trusted with confidential information. It seems unnecessary. What benefit does this provide that absolutely cannot be arranged by an independent e-mail client that stores such information locally on the phone? I suppose that same question can be rephrased as "does server-push provide any benefit that client-pull with a reasonable polling time could not also provide?"

            Battery life. By having
            • Re: (Score:2, Informative)

              by ivucica (1001089)

              IMAP, on a properly written client, in online mode, keeps the connection open and the server notifies the client when new messages arrive.

        • Well, that's the reason many people don't buy Blackberry phones. Nokia used to be different. But apparently Nokia phones are off the table as well now for anybody who cares about security.

          And why does it matter? Because once the password is sent in plain text anywhere, you have no control over it. It likely gets stored in Nokias server logs and on their backup tapes. Nokia employees can access it. Police can subpoena it. Intruders can sniff it. Etc.

      • Or Google. Or Microsoft. Or any other e-mail-service-provider.

        First thing I did on my phone, was install my own PIM- and communication suite. I would have loved to replace the OS, but this is still a bit of a rocky ride. Too rocky for a new phone with guarantee.

    • RTFBP again. He's not using any proxy server or messaging depot--he's going to connect directly to his company's mail server, and not have Nokia cache the email for him.

      Why does Nokia need a copy of his credentials in that case?

      (They don't.)

      • by VP (32928)

        RTFBP again. He's not using any proxy server or messaging depot

        Wrong, he is using Nokia Messaging, which is a service Nokia provides. This is what the "wizard" is all about.

        • Re: (Score:3, Informative)

          by GuldKalle (1065310)

          nope [slashdot.org].
          At least that was very clearly not his intention

          • Re: (Score:2, Redundant)

            by VP (32928)

            OK, so it isn't Nokia Messaging, it is the new wizard application, which checks that your credentials are valid by actually logging into the e-mail account, and if there are problems, alerts you to check your credentials instead of creating the account on your phone. While it would have been nice to get a warning that the wizard is doing that via a Nokia server, it is still not such a big deal.

            • Re:An issue. (Score:5, Insightful)

              by Culture20 (968837) on Friday April 17, 2009 @06:21PM (#27620977)

              it is still not such a big deal.

              Not a big deal to have your credentials sent to a third party? What if Nokia's wizard used a Finnish government server instead?
              What if a Chinese-made phone was sending username/password to a Chinese government server?
              What if Antti Järjestelmävalvojanen, a (fictitious) Nokia network admin, starts storing them on his thumb drive?

  • by Anonymous Coward on Friday April 17, 2009 @02:49PM (#27617983)

    Subby here: To clarify some things: this issue is on Nokia Messaging client. The only device (AFAIK) that currently ships with Nokia Messaging is E75. The older models use the old email/messaging software, that has nothing to do with Nokia Messaging service.

    I haven't checked how Nokia markets the Nokia Messaging service/client nowadays, but originally it was marketed as a service (the email proxy) and accompanying client, and you couldn't even use the client without the proxy service.

    Apparently this has changed now when E75 ships without the original standalone email client.

    So, E71 (or any other Nokia phone except E75) does not have this issue unless you have downloaded the separate Nokia Messaging software and use that for reading mail.

    • by GuldKalle (1065310) on Friday April 17, 2009 @03:10PM (#27618337)

      According to the bloggers followup [blogspot.com], at least three models are affected:
      5800 (20.0.0.12)
      N79 (11.049)
      E75 (110.48.78)

      Also from the followup:
      Yes, I know there is a solution called Nokia Messaging (read more from here), but maybe I wasn't clear enough in my initial post: I am configuring direct IMAP/POP access to my own/company/organization/whatever email service and I am not using nor planning to use Nokia's messaging proxy.

      • by Progoth (98669) on Friday April 17, 2009 @04:27PM (#27619471) Homepage

        I'm on the server software team, so I'm not completely sure about the client - but as I understand it, the client's hitting our CCDS server to save you the step of putting in server names / ports /etc. The service was written for Nokia Messaging, and is used there, but is also valid for the client to configure its built-in client.

        /just finished implementing push, non-POP Hotmail support for Nokia Messaging not too long ago

        • Hmm... how can it know the server name / port / etc, if I for example have
          some.person@secure-server.tld,
          and the server would be something like
          ssmtp://some.person:super-secret_password@mail.not-in-mx.secure-server.tld:39482?

          By the way: Why not just let users enter such an url?

          • And don't tell me "because the're too stupid and it is too irrelevant". The same was true for HTTP URLs in the beginning of the WWW. People learned it anyway. If you can do math at school and drive a car, stop whining and learn how to enter a damn URL! ^^

            • by drolli (522659)

              How often haveyou seen average people typing mor complicated urls than www.google.com? most of them are too stupid to find the navigation bar and eat the shit of whatever search bar or start page is provided on their computer for whatever reason.

        • by ivucica (1001089)

          ...and why isn't domain name (e.g. "gmail.com") sufficient for this autoconfiguration step? That is, why is the username + password needed?

          Only reason I can guess is "ok, let's get Nokia's server to try logging into mail.domain.com, then pop.mail.com, then imap.domain.com, then domain.com, and then give up" but ... in that case user should explicitly mark a checkbox "Send my user credentials to Nokia for autoconfiguration".

          Can you elaborate why it isn't so?

          PS Otherwise this service would be a great idea .

  • sneaky.. (Score:5, Funny)

    by Keruo (771880) on Friday April 17, 2009 @03:09PM (#27618307)
    Good thing my email password is ";drop database;"
  • sounds like (Score:5, Funny)

    by Presto Vivace (882157) <marshall@prestovivace.biz> on Friday April 17, 2009 @03:13PM (#27618403) Homepage Journal
    they're not very smart phones.
  • by Anonymous Coward

    I'm not surprised that the amateurs at Nokia would do this. The S60 platform on the whole seems like a throwback to the early 2000's, back when smartphone users were a marginalized bunch who would put up with niggling annoyances as long as they could receive email on their devices. If the iPhone OS is pretty much OS X on a phone, then S60 is like running Windows 98 on your phone.

    I'm pretty much convinced that anyone using a Nokia smartphone right now is a masochist. My experience with an E71 has been horren

    • Re: (Score:3, Insightful)

      by Anonymusing (1450747)

      The new "Mail by Nokia" system is hilariously crappy. They want you to give them the logins to your mail accounts, then they retrieve your email. Why would anyone do this?

      Probably for the same reason that people let Gmail do this [google.com].

  • by Elwood P Dowd (16933) <judgmentalist@gmail.com> on Friday April 17, 2009 @04:28PM (#27619483) Journal

    As commenters have already pointed out on those blog posts, push IMAP will require that Nokia stores your credentials on servers that check for your new email as a proxy.

    This request is https. If, during setup, you asked for push IMAP, or any number of other imaginable features for your mail account, sending your credentials to a Nokia or wireless carrier server will be necessary.

    Actually... if it's https... how the hell can this guy tell what the URL request is? Has he patched their email client to snitch?

    • Re: (Score:2, Insightful)

      by godel_56 (1287256)

      This request is https. If, during setup, you asked for push IMAP, or any number of other imaginable features for your mail account, sending your credentials to a Nokia or wireless carrier server will be necessary.

      Not only have you not RTFA but you haven't bothered to read the previous Slashdot comments. He is NOT using push email and he intercepted the communications on his own network using Webscarab and Wireshark. Nokia are only providing the comms terminal and have neither the need or the right to know his password or account details.

  • They're sending the email address, username and password to Nokia to do determine right settings (servername etc) for the email account. I suppose they have some sort of database of email settings for common email providers. Of course, we all know that they have to have the username and password, the domain part of the email address wouldn't be enough. I don't feel like a proud Finn right now. I'm also not very happy to deal with the issue, since I do it-support to a company that recently got few of these
  • Now that I know it's only Nokia, I don't have to throw away my perfectly good, still functioning, non-leaking, 6 YEAR old SAMSUNG cellphone.

    I was getting worried.

  • inexcusable (Score:1, Flamebait)

    by speedtux (1307149)

    Even Microsoft hasn't sunk to that level of incompetence and blatant violation of user privacy. Transmitting the user's password to a third party server in plain text over an unencrypted link is inexcusable.

    I have several Nokia phones; obviously, I need to get rid of them. If they make such a fundamental mistake, Nokia obviously cannot be trusted with anything.

    Fortunately, with Android, we now have a reasonable alternative.

    • Transmitting the user's password to a third party server in plain text over an unencrypted link is inexcusable.

      Is it unencrypted? You can have unencrypted https connections, but one would assume they would encrypt it. ...you did catch that s after the http in the url?

      No, what you should be concerned about is that it's being transmitted at all, since it's not required for the operation of the phone!

    • by anss123 (985305)

      I have several Nokia phones; obviously, I need to get rid of them. If they make such a fundamental mistake, Nokia obviously cannot be trusted with anything.

      The nGage should have been hint enough that there's something basic Nokia lacks, but this particular service is implemented sanely (encrypted, actually usefull and all that). Remember, never trust the edit summary.

  • Class action suit? (Score:3, Interesting)

    by PCM2 (4486) on Friday April 17, 2009 @06:38PM (#27621157) Homepage

    A class-action lawsuit? Seriously?

    Americans are crazy. One guy with a blog has discovered a security flaw. There has been no exploit for this flaw. Nobody is complaining that they've lost anything. What's more, this "issue" can be fixed with a firmware update. But no! Our sense of entitlement tells us that this is another opportunity to take a bunch of money out of the pockets of an eeeeeeeeeevvil corporation ... and put it into the pockets of a bunch of lawyers. Awesome.

    I love the part where Nokia hasn't even issued a response yet, and we interpret that as more reason to sue. Awesome.

    Every other post on Slashdot seems to be decrying how messed-up the system is in this country, and then the next post comes along demanding that we shovel more coal into the fires. Get your heads straight, please.

    • by dbcad7 (771464)
      I thought the same thing.. and then I realize that Nokia is not the i-phone.. if it was there would be all kinds of defenders popping out of the woodwork. I am willing to bet neither the blogger nor the submitter even has a Nokia phone, but this is all too much BS for me to bother reading the blog to check.
  • This is the price you pay for "push" e-mail on most mobile devices.

    Instead of having the phone constantly connected, polling and costing money in data bills, the network does it at their end, and can then notify the phone using some GSM jiggerypokery.

    FUD.

  • Give me a break... (Score:3, Informative)

    by Capt. Beyond (179592) on Saturday April 18, 2009 @01:21AM (#27623919)

    Here's to sensationalism and mis-representation.

    Nokoscope was not started by Nokia, but a one or two developers who happen to work for Nokia. It is not an official Nokia project, nor will it ever be, nor is it 'massive'. It will never be installed by default on any Nokia device.

I don't want to achieve immortality through my work. I want to achieve immortality through not dying. -- Woody Allen

Working...